In an app I need to edit a user's user name, email, phone, and password (for the optional password, I found this solution ).
But this change is made via API. Since it involves data change I need to know how to make this change safely. If it were only on the web I would use current_user which would guarantee that only the logged in user would change their own data. But in this case I do not know how it works.
I recommend that you take a TOKEN approach to user authentication via the API (note that it is not related to Devise's old TokenAuthenticable).
Your model User will have a TOKEN which will be a random code. At each API request you pass this TOKEN to ensure that it is the true user.
Rails already have a method to verify this type of authentication: authenticate_with_http_token
If you want to increase security, you can also provide a APP_SECRET that will be used to encrypt your token, using an algorithm.
This APP_SECRET will not be sent in communication (HTTP calls), but it must be stored on both the server and the client.
References that may help you:
